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Abstract 

A generalization of the original Diffie-Hellman key exchange in (Z/pZ)* found a 
new depth when Miller [27] and Koblitz fT6j suggested that such a protocol could be 
used with the group over an elliptic curve. In this paper, we propose a further vast 
generalization where abelian semigroups act on finite sets. We define a Diffie-Hellman 
key exchange in this setting and we illustrate how to build interesting semigroup actions 
using finite (simple) semirings. The practicality of the proposed extensions rely on the 
orbit sizes of the semigroup actions and at this point it is an open question how to 
compute the sizes of these orbits in general and also if there exists a square root attack 
in general. 

In Section [5] a concrete practical semigroup action built from simple semirings is 
presented. It will require further research to analyse this system. 

Keywords: Public key cryptography, Diffie-Hellman protocol, one-way trapdoor functions, 
semigroup actions, simple semirings. 
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1 Introduction 



The (generalized) discrete logarithm problem is the basic ingredient of many cryptographic 
protocols. It asks the following question: 

Problem 1.1 (see e.g. [26]). Given a finite group G and elements g,h & G, find an integer 
n eN such that = h. 

Problem II. II has a solution if and only if h E (g), the cyclic group generated by g. U h E (g) 
then there is a unique integer n satisfying 1 < n < ord{g) such that g"' = h. We call this 
unique integer the discrete logarithm of h with base g and we denote it by log^ h. 

Protocols where the discrete logarithm problem plays a significant role are the Diffie- 
Hellman key agreement [9], the ElGamal public key cryptosystem [10], the digital signature 
algorithm (DSA) and ElGamal's signature scheme |26j . 

The Diffie-Hellman protocol [9] allows two parties, say Alice and Bob, to exchange a 
secret key over some insecure channel. In order to achieve this goal Alice and Bob agree 
on a group G and a common base g E G. Alice chooses a random integer a G N and Bob 
chooses a random integer b E N. Alice transmits to Bob g"' and Bob transmits to Alice g^. 
Their common secret key is k := g"'^. 

It is clear that solving the underlying discrete logarithm problem is sufficient for breaking 
the Diffie-Hellman protocol. For this reason researchers have been searching for groups where 
the discrete logarithm problem is considered a computationally difficult problem. 

In the literature many groups have been proposed as candidates for studying the discrete 
logarithm problem. Groups which have been implemented in practice are the multiplicative 
group (Z/nZ)* of integers modulo ra, the multiplicative group F* = F \ {0} of nonzero 
elements inside a finite field F and subgroups [191 EI] of these groups. In recent time there 
has been intense study of the discrete logarithm problem in the group over an elliptic curve [Sj 
[T6l [271 126] or more generally the group over an abelian variety [HI lU HZ] • 

In this paper, we show how the discrete logarithm problem over a group can be seen 
as a special instance of an action by a semigroup. The interesting thing is that every 
semigroup action by an abelian semigroup gives rise to a Diffie-Hellman key exchange. With 
an additional assumption it is also possible to extend the ElGamal protocol. 

The idea of using (semi)group actions for the purpose of building one-way trapdoor 
functions is not a new one and it appeared in one way or the other in several papers. E.g. 
Yamamura [36] has been considering a group action of 5/2 (Z). Blackburn and Galbraith |2j 
have been analyzing the system of [36j and they have shown that it is insecure. The key 
exchange protocol in our paper differs however from [2S] and the 'bit by bit' computation 
of Blackburn and Galbraith [2] does not apply. Other papers where special instances of 
semigroup actions appear are [H |T5l |331 123] and we will say more in a moment. 

The paper is structured as follows: In the next section we define G-actions on sets, where 
G is an arbitrary semigroup. Under the assumption that G is abelian we define a general 
Diffie-Hellman protocol. In Section 3 we consider semigroup actions which can be linearized 
in the sense that there exists a computable homomorphism which embeds the semigroup G 
into Mat„(F), the ring of n x n matrices. Section 4 and Section 5 contain the main results 
of the paper. We show how semirings can be used to build interesting abelian semigroup 
actions. 

A promising practical example which we are describing in Section 5 consists of a two 
sided action. The idea of such an action originates in the 2003 dissertation of Maze [24j . 
Later, Shpilrain and Ushakov [33] have described similar two-sided actions in the context of 
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Thompson groups. The semigroups we are studying in Section 5 are built from simple semir- 
ings. Simple semirings are of importance as they assure that the induced matrix semiring is 
simple. In the special case when the semiring is the ring of integers modulo n Slavin [3l] filed 
a patent for the described system citing the work of Maze. Neither [33] nor [31] build general 
semigroup actions starting from semirings. At this point it is not clear if there exist param- 
eter ranges where the described twosided action is simultaneously efficient and practically 
secure. 

2 The generalized Diffie-Hellman protocol 

Consider a semigroup G, i.e., a set that comes with an associative multiplication In 
particular we do not require that G has either an identity element or that each element has 
an inverse. However, without loss of generality, we will always assume that the semigroup 
has an identity. We say that the semigroup is abelian if the multiplication ■ is commutative. 
Let S" be a finite set and G a a semigroup. A (left) action of G on 5 is a map 

ip: Gx S > S, 

satisfying (j){g ■ h,s) = (j){g, (j){h, s)). We will refer to such an action as a G-action on the set 
S, and when the context is clear, we denote (f){g, s) simply by gs. Right actions are similarly 
defined. 

We present now the protocols one can define based on semigroup actions: 

Protocol 2.1 (Extended DifRe-Hellman Key Exchange) Let S* be a finite set, G be 
an abelian semigroup, and (p a G— action on S. The Extended Diffie-Hellman key exchange 
in (G, S, 0) is the following protocol: 

1. Alice and Bob publicly agree on an element s G S*. 

2. Alice chooses a G G and computes as. Alice's private key is a, her public key is as. 

3. Bob chooses b & G and computes bs. Bob's private key is b, his public key is bs. 

4. Their common secret key is then 

a{bs) = (a ■ b)s = (b ■ a)s = b{as). 

As in the situation of the discrete logarithm problem it is possible to construct ElGamal 
one-way trapdoor functions which are based on group actions. The interested reader finds 
more details in [25], [28] . 

One would build a cryptosystem based on a semigroup action only if the following problem 
is hard: 

Problem 2.2 (Semigroup Action Problem (SAP)): Given a semigroup G acting on a 
set S and elements x E S and y G Gx, find g E G such that gx = y. 

If an attacker. Eve, can find an a G G such that as = as, then Eve may find the shared 
secret by computing a{bs) = (a ■ b)s = b{as) = b{as). 

Although the semigroup G need not be finite, the finiteness of S is sufficient in order 
to provide a bound for the size of the data during the communication. Nevertheless, if the 
action preserves the "size" of s with respect to some fixed representation, finiteness of S is 
not necessary. 
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Remark 2.3 The traditional Diffie-Hellman key exchange is a special instance of Proto- 
col O For this let: 

• G be the semigroup (Z, ■) of integers. 

• S" be a cyclic group H where the discrete logarithm problem is believed to be difficult. 

• s is a generator of the group H and the action is defined by 

if: Zx H — > H 
(n,s) ^ s". 

The identity s"''' = simply says that ip is a commutative G-action and the reader readily 
verifies that Protocol 12.11 reduces to the traditional protocol in this case. 

Of course, there is an analogue version of the Diffie-Hellman Problem stated in terms of 
semigroup. 

Problem 2.4 (The DifRe-Hellman Semigroup Problem) Given a finite abelian semi- 
group G acting on a finite set S and elements x,y, z & S with y = g ■ x and z = h ■ x for 
some g,h E G, find (gh) ■ x E S. 

The security of Protocol 12.11 is equivalent to this problem. The only way we know how 
to attack Problem 12. 41 is to solve SAP. It is unknown if SAP and Problem 12.41 are equivalent. 

2.1 Generic attacks on the SAP 

First, we should examine the brute force attack. Suppose Eve intercepts as and bs through 
an insecure channel and wants to decode the ciphertext a{bs) = b{as). She may want to try 
the brute force attack to solve Problem 12.21 she computes gs for all possible g & G until she 
finds some a with as = as. She is then able to break the system as explained above. To 
avoid this attack. Bob and Alice must choose G and S sufficiently large and select a good 
candidate for s. Namely, if 

Gevc = {a & G \ as = as} 

then the different parameters G, S, s must be chosen such that the size of Gevc is small with 
respect to the size of G. 

If G has the structure of a group (and not just a semigroup) then Gevc is simply a left 
coset of the stabilizer group 

Stab(s) = {g E G \ gs = s} 

and in this case we are requiring that the quotient group G/Stab(s) is large. 

For a general abelian semigroup G we observe that Stab(s) is still a sub-semigroup of G 
and every element a e aStab(s) has the property that a e Gevc, i-e., aStab(s) C Gevc- 
Again in this case we require that Stab(s) is small in comparison to G. 

Note also that every sub-semigroup H of G gives rise to an equivalence relation on S. If 
one has the ability to efficiently compute canonical representatives for the equivalence classes 
(among other things), this could potentially be used to an attacker's advantage. But as we 
will see in Section HI this is not always an easy task. 

It is of course an interesting question if a square root attack exists for general semigroup 
actions. In the following we explain that for special cases this is possible. In general we do 
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not know how to adapt the known algorithms hke e.g. baby step giant step, or the algorithms 
Pollard rho or Pollard Kangaroo. 

Consider an arbitrary instance of the SAP, where one is given a semigroup G (say as a 
subset of {0, 1}^, with not too much larger than log2 a set X (say as a subset of 
{0, 1}*^, with M not too much larger than log2 |X|) and 'black-box' type functions vr and a 
for quickly computing the semigroup product and the action, respectively: 

7r:GxG — >G, a:GxX — > X. 

In addition, one is given x E X and an element y G Gx in the orbit of x. It is also reasonable 
to assume the availability of oracles for producing elements of G and X uniformly at random. 
The goal then is to find a (7 G G for which a{g, x) = gx = y. We do not know a method for 
solving such an arbitrary instance with 0(a/]G|) operations, except in some special cases. 

Situation I: Suppose an element (? G G is known for which g'^x = y for some k > 1. In this 
case, one first determines the period and preperiod of by a method similar to Pollard's rho 
method, which needs 0{^^/oTd{p)) = 0{^^/\G\) operations, where ord(p) is the period plus 
the preperiod of g (see the definition in Section 5). Then the baby-step giant-step method 
can be applied in an obvious way to find k with another 0{^yoTd{p)) = 0(a/|G|) operations. 
Note: this applies immediately to the case where G is a cyclic group. 

Situation II: G is a group, but not cyclic. For typical groups, inverses are easily computable, 
but in any case, one may always find inverses with 0(a/|G|) group operations, so it suffices 
to solve gix = g2y, from which one obtains {g2^gi)x = y. For this, a randomized baby-step 
giant-step is possible. Compute and store a set A = {hix, . . . , hmx} for randomly chosen 
hi E G and m ^ a/|G|. With clever hashing techniques (or, in the worst case, sorting A) it 
is possible to quickly test if a given element of X is in the set A. One then chooses random 
values of /i G G until one is found with hy G A. If hy G A, we then have hy = hiX for some 
i, and so g = h~^hi. 

If the semigroup is neither a group nor the set-theoretic union of a small number of cyclic 
sub-semigroups we do not know how to adapt the algorithms known for the DLP of abelian 
groups (see e.g. [3]). In contrast to the DLP problem actions of a semigroup G on a set X can 
result in a G-orbit Gs, s G X, consisting of many ultimately periodic orbits {g^s \ k E N}, 
g E G. We have observed such phenomena in the action described in Section O It is an 
open research question to come up with a possible square root attack or to show that under 
certain conditions a square root attack cannot exist for general semigroup actions on sets. 

For semigroup actions where a square root attack exists and no other attack is known 
(like e.g. the DLP over an elliptic curve) it is generally accepted that an orbit size having 
160 bits is sufficient for practical security. For cases where no square root attack is known 
orbit sizes of 80 bits could be sufficient for practical security. 

3 Linear abelian semigroup actions over fields 

This section is about linearity in the sense that there is a way to see the semigroup action as 
a matrix action on some vector space. We show that if the correspondence between the two 
approaches is computationally feasible, then the Diffie-Hellman semigroup problem and the 
semigroup action problem may be solved easily. Two examples of such action are presented 
at the end of the section. 
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Let us describe the situation more specifically. Let F = be the field with q elements. 
Suppose we are given an action G x S — > S, with G a finite abelian semigroup and S a 
finite set, a semigroup homomorphism p : G — > Matn(F) (with multiplication as operation) 
and an embedding -0 : S — > F" such that for all g e G,s E S one has 

i^ig ■ s) = p{g)'ip{s). 

So p{G) is a commutative sub-semigroup of Mat„(F). Let F[G] be the commutative subal- 
gebra of Mat„(F) generated by the elements of p{G). 

Suppose there exist polynomial time algorithms that compute the semigroup operation, 
the semigroup action, the values of the maps p and ip and polynomial time algorithms that 
compute p~^{M) for each M e p{G) and iIj~^{v) for each v G ip{S). The next theorem does 
not take in consideration the speed of these algorithms. It only describes what can be done 
at the level of the linear algebra without taking consideration of the reduction itself. We 
also suppose we have access to an oracle A that allow us to randomly chose elements in ¥[G]. 
This assumption takes into account the desire to capture the situations were the semigroup 
G is close to a real matrix algebra. 

Theorem 3.1 Let G, S, ip be arbitrary parameters as above and let k — dimurFfG]. Then: 

1. There exists a probabilistic polynomial time reduction of the Diffie-Hellman semigroup 
problem to a linear algebra problem over¥ that can be solved in an expected 0{k^n+n^) 
number of field operations. 

2. Let N = |F[G']|/|G'|. There exists a probabilistic polynomial time reduction of the SAP 
to a linear algebra problem over F that can be solved in an expected 0{N{hF'n + n^)) 
number of field operations. 

The above 0-constants come from the cost of standard linear algebra problems and bounded 
expected values. 

Proof: Let x, y = g ■ x and z = h ■ x he three elements of S with u,v and w their images in 
F'^. We consider the semigroup action problem instance with parameters x and y and the 
Diffie-Hellman semigroup problem instance with additional parameter z. 

1. Suppose we have chosen randomly k different elements Mi, in ¥[G] C Mat„(F) 
with k call to the oracle A. The probabihty that this family is in fact a basis of the 
vector space ¥[G] over F is equal to the probability P that a random matrix chosen in 
Matfe(F) is invertible, which satisfies 

P = Prob (Ml, Mk is a basis of F[G]) 
|GLfc(F)| 
|Matfc(F)| 

(g*^ - l){q'' - q)...{q^ - q^~^) 
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See [20] for the cardinality of GLfc(F). Suppose for the moment that B = {Mi, M^} 
is a basis of F[G']. li k ^ n we extract a sub-family of cardinality n say Mj^, Mj^ of 
Ml, ...,Mfc such that 

Span]p„{MjjM, ...jMj^-u} = Span^nlMi-u, ...,Mku}. 

Note that this is always possible and can be done in 0{k'^n) field operations (see [7j). 
If k < n then we may simply complete B with enough zero matrices to have a family 
of cardinality n. Let us consider the following equations with unknown ai, ...,a„ G F 
and 61, bn G F: 

(aiMjj + ... + a„Mj^)M = v 
and (6iMi, + ... + 6„MijM = w. (2) 

If S is a basis, then both possess at least one solution because of the property of 
the family Mjj,...Mi„. If a = [ai,...,a„]* and b = [61,. ..,6^]* then Equations ([2]) are 
equivalent to the following : 

[Mi^u\...\Mi„u]a = V 
and [Mi^u \ ... \ Mi^u] b = w, 

and therefore both possess a solution that can be found by solving an n x n system 
of linear equations in F. If the previous systems do not each have a solution, then 
we choose another family Mi,...,Mk and restart the process; the number of trials is 
expected to be less than 4 by Inequality [H Therefore we can find the vectors a and b 
in O(n^) field operations. 

The matrices 

Mg = {aiMi^ + ... + anMiJ 
and Mh = {biMi^ + ... + bnMiJ 

satisfy 

MgMh = MhMg , MgU = V 8.11(1 M hU = w. 

Let a = MgMhU = MhMgU. Since MgU = p{g)u and MhU = p{h)u, we have 

a = MgMhU = p{g)p{h)u = i){{gh) ■ x) =^ ^~\a) = (gh) ■ x 

which shows that the Diffie-Hellman semigroup problem instance can be solved after 
a resolution of a family of problems that take 0{k'^n + n^) operations over F. 

2. The matrix Mg above belongs to p{G) with probability Therefore the number of 
trials before reaching this state is 0{N). If Mg G p{G), then g = p~^{Mg) is a solution 
to the semigroup action problem since ip{y) = Mgip{x) = ip{g ■ x). 

□ 

Here are some examples where the previous theorem holds or can be used: 
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Example 3.2 Let M be an n x n matrix with entries in F = Fg and G = ¥[M] acting on F". 
If the minimal polynomial of M is m{x) then F[M] = ¥[x]/{m{x)) (with this isomorphism 
being efficiently computable) and the latter is a vector space of dimension k = deg m ^ n. In 
such a situation, both the semigroup action problem and Diffie-Hellman semigroup problem 
are trivial. 

Example 3.3 This example comes from invariant theory (see e.g. [35] for an introduction 
to this classical subject). We will consider a contragradient matrix action on the ring of 
polynomials. Fix a finite field F = Fg, an integer d and an abelian sub-semigroup G of 
Mat„(F). Let Vd be the vector space over F of polynomials in F[xi, x„] of total degree less 
or equal to d. The action we are considering is 



where ] and Ax is the usual matrix multiplication. This action is linear since 

A-{f + g) = A-f + A- g. If r = dimp Vd then we can naturally embed Vd in F'' after having 
chosen the basis B = {xl^...x'^ \ ^ of Vd- This makes the map ip easy to compute 

and to invert. For sake of clarity, we suppose that B = {vi = Xi,...,f„ = x„, f^}. 
We define the map p : G — > Matr(F) as follows: 



where Vj = xl^...x'^. So p gives the matrix representation of the linear map induced by 
the action since the j^^ column of p{A) is the image of the j^^ basis vector vj. Since all 
the polynomials have degree less or equal to d, the right-hand-side can be computed in 
0{rnd\ogd) field operations (see [32l Chapter 1]). Note that if M G p{G), then we can easily 
find A such that p{A) = M since the i*^ row of A is contained in the n first components of 
the i'^^ column of M. Indeed, if 1 ^ i ^ n then 



Once again the previous theorem holds and makes the Diffie-Hellman semigroup problem 
as hard as the linear algebra problem in F''. However note that in that case the semigroup 
action problem may still be difficult since the ratio |G'|/|F[G]| may take very small values 
because of the big dimension expansion from n to r. 

4 Linear actions of abelian semirings on semi-modules 

In this section we construct semigroup actions on finite sets starting from a semimodule 
defined over a semiring. The setup is general enough that it includes the Diffie-Hellman 
protocol over a general finite group as a special case. It provides on the other hand the 
fiexibility to construct new protocols where some of the known attacks against the discrete 
logarithm problem in a finite group do not work anymore. 

Let i? be a semiring, not necessarily finite. This means that i? is a semigroup with respect 
to both addition and multiplication and the distributive laws hold. It is understood that the 
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semiring is commutative with respect to addition. Some authors assume that a semiring has 
a neutral element with respect to addition. We will not assume that R has either a zero or 
a one. 

Let M be a finite semimodule over R. With this we mean that M has the structure of a 
finite semigroup and there is an action: 

i? X M — > M 

such that 

r{sm) = {rs)m, (r + s)m = rm + sm and r(m + n) = rm + rn 

for all r,s & R and m,n & M. 

The semigroup action problem in this setting then asks: 

"Given elements 171,12 & M find an element r & R such that rm = n. 

Before we proceed we would like to explain some of the difficulties in order to derive at 
a square root algorithm which solves the SAP. For this note that many square root attacks 
seek in this situation a "collision", e.g. in Pollard's rho method elements ri, . . . ,r4 G i? are 
sought such that 

riui + = r^m + r4^n. (3) 
If the semiring is a ring then this results in 

(ri — r3)m = (r4 — r2)n 

and maybe under benign conditions the semigroup action problem can be solved. If the 
semiring (like e.g. the ones we describe in the next section) have in general no additive 
inverses this simple reduction from Equation is not possible. The situation is even worse 
when R has only a semigroup structure and M is an arbitrary set since in such a situation 
no addition is at disposal at all. 

We proceed now and show how to derive at an abelian semigroup action starting from a 
semimodule whose coefficient ring is not necessarily multiplicatively commutative. 

Let Mat„(-R) be the set of all n x n matrices with entries in the semiring R. The semiring 
structure on R induces a semiring structure on Matn(i?). Moreover the semimodule structure 
on M lifts to a semimodule structure on M" via the matrix multiplication: 

Mat„(i?) X — ^ M" (4) 
{A,x) I — > Ax. 

The action (jlj) forms a semigroup-action of the multiplicative semigroup of Matn{R) on 
the set M"'. In general Mat„(i?) is not commutative with respect to matrix multiplication. 
However we can easily define a commutative subgroup as follows: 

Let C C -R be the center of R i.e., the subset of R consisting of elements that commute 
with any other elements. Let C[t] be the polynomial ring in the indeterminant t and let 
A G Ma.tn{R) be a fixed matrix. If 

p{t) =ro + nt + --- + rkt^ G C[t] 

then we define in the usual way p{A) = tqI^ + riA + • ■ ■ + r^A^ , where ro/„ is the n x n 
diagonal matrix with entry tq in each diagonal element. 
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Consider the semigroup 

G:=C[A] ■.= {p{A)\p{t)eC\t]}. 

Clearly C[A\ has the structure of an abelian semigroup. Protocol 12.11 then simply requires 
that Alice and Bob agree on a vector s e M". Then Alice chooses a matrix X G C[A\ and 
sends to Bob the vector Xs, an element of the module M". Bob chooses a matrix F G C[A] 
and sends to Alice the vector Ys. The common key is then the vector XYs which both can 
compute since X and Y commute. 

In the special case when i? = M = F is a finite field one readily reduces the problem to 
a simple linear algebra problem over the finite field F. 

The situation becomes slightly more interesting if we take as a ring i? = Z, the integers 
and as module any finite abelian group M = H. The group if is a Z module and Mat„(Z) 
operates on S" := if" = H x . . . x H via the formal multiplication: 



9i ' 




' an ■ 


■ ■ 




' 9i ' 


9n . 










. 9n . 



(5) 



If / = Icmd^fil, . . . , \9n\}i and C G Mat„(Z) is a matrix with all entries congruent to zero 
modulo /, then [A + C)g = Ag for all A G Mat„(Z). Whence, we may simply consider the 
action of Mat„(Z//Z) on S. 

This problem reduces to a combination of a linear algebra problem and a series of discrete 
logarithm problems in H as soon as all the elements {gi, . . . , gn} C H lie in a common cyclic 
subgroup of H. Such an attack is even possible when the Z-action on the abelian group is 
more complicated and we refer to the recent system introduced by Climent et. al. [5] and 
its crypt analysis [6j. 

The situation becomes quite a bit more interesting if we consider general finite semirings 
acting on general semi-modules. In the next section we explain an instance where we do not 
know how to efficiently attack such a system. 

5 A two-sided abelian action based on simple semirings 

In this section we describe a particular semigroup action, where we do not know how to 
solve the SAP once the parameters have been chosen large enough. The idea of such an 
action originates in the dissertation of Maze [21]. Shpilrain and Ushakov [33] have described 
a similar two-sided action in the context of Thompson groups and Slavin [34J filed a patent 
based on such ideas. 

Let us fix a finite semiring R, not embeddable in a field and not necessarily commutative. 
Given such a semiring, consider C, the center of R. Throughout this section, we let n denote 
an arbitrary positive integer. For M G Mat„(i?) we denote by C[M] the abelian sub- 
semiring generated by M, i.e., the semiring of polynomials in M with coefficients in C. Let 
Ml, M2 G Mat„(i?) and consider the following action: 

(C[Mi] X C[M2]) X Matn{R) — > Mat„(i?) 

((p(Mi),g(M2)),X) ^ piM^)■X■q{M2). 

This action is linear since 

p(Mi) -(A + B)- q{M2) = p{M^) ■ A ■ q{M2) + p{M{) ■ B ■ ^(Ms). 
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Because of this linearity, we avoid the case when i? is a finite field (see Theorem 13. ip even if 
the initial SAP instance related to this semigroup action looks difficult. 

The key-exchange algorithm that results from using this semigroup action in Protocol 
12. II explicitly reads as follows. 

Protocol 5.1 (DifRe-Hellman with two-sided matrix semiring action) 

1. Alice and Bob agree on a finite semiring R with nonempty center C, not embeddable 
into a field. They choose a positive integer n and matrices Mi, M2, S G Mat„(-R). 

2. Alice chooses polynomials Paj^a & C[t] and computes A = pa{Mi) ■ S ■ qa{M2). She 
sends A to Bob. 

3. Bob chooses polynomials pb, G C[t] and computes B = ph{Mi) ■ S ■ qb{M2). He sends 
B to Ahce. 

4. Their common secret key is then 

Pa{M{)Bqa{M2) = PaiMi)pb{Mi)Sqb{M2)qaiM2) = Pb{Mi)Aqb{M2). 

The corresponding SAP that should be hard is: given Mi,M2,S G Mat„(i?) and T G 
C[Mi]SC[M2] find Ui G C[Mi] and U2 G C[M2] so that T = U1SU2. We do not know if it is 
necessary for an attacker to solve this problem, but it certainly is sufficient. 

The remainder of this section is devoted to describing some necessary conditions on 
R for this problem to be difficult, and the existence of semirings meeting these necessary 
conditions. 

Definition 5.2 A congruence relation on a semiring R is an equivalence relation ~ such 
that a h implies that ac ^ he, ca ^ cb, a + c ^ h + c and c + a ~ c + 6 for all possible choice 
of a, h and c. A semiring R is congruence-free, or simple, if the only congruence relations 
are R x R and {(a, a) | a G R}. 

Any congruence relation induces a natural semiring structure on the set R/ ~ and the 
quotient map R — > is a semiring homomorphism. It is also clear that a congruence 
relation on R induces a congruence relation on Mat„(i?) for any n G N. 

For cryptographic purposes it is important that the involved semirings are simple to 
avoid a Pohlig-Hellman type reduction of the SAP. Indeed any congruence relation on R 
yields a projection of the SAP instance onto a quotient semiring, from which one may 
gain information about the solution to the original instance. Just as we prefer to work in 
groups of prime orders to avoid a Pohlig-Hellman attack, we would like to work in simple 
semirings to avoid such a reduction. Let us mention that Monico [29j provided a partial 
classification of finite simple semirings in 2002 and that Zumbragel recently provided in 
[TT] a total classification of non-trivial finite simple semirings together with a method for 
explicitly constructing such objects. For this we first define: 

Definition 5.3 A zero of a semiring R is an element '0' such that a + = + a = a and 
a ■ = ■ a = for all a G i?. A one of a semiring R is an element '1' such that a ■ 1 = 1 ■ a = a 
for all a & R. 

Next we show how to build large simple semirings from small simple semirings. We start 
with a technical lemma: 
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Lemma 5.4 Let R be an additively commutative semiring with 1 and and let ^ be a 
congruence relation on Mat„(-R). Then there exists a congruence relation ~o on R such that 

A B E Matn-R <^==^ ttij ~o hj , V ^ i, j ^ n. 

Proof: First, given such a semiring R, and M G Mat„(i?), if M' is obtained from M by 
a permutation of rows and columns, we prove there exist two invertible matrices S*, P G 
Mat„(i?) such that M' = SMP. Indeed, the statement is true if one consider matrices with 
entries in Z and the usual multiplication, i.e., there exist two permutation matrices (therefore 
with entries in {0, 1}) such that M' = S ■ M ■ P with • being the usual matrix multiplication. 
It is then straightforward to verify that the same is true with the operation in R because 
of the properties of and 1. Let us now prove the stated result. Let / : R — > Matn{R) 
be the map that sends a G i? to the diagonal matrix with first diagonal element a and 
zeros everywhere else. The map / is a semiring homomorphism. Let ~o be the relation 
on R defined hj a b in R if and only if /(a) ~ f{b) in Mat„(i?). Observe that ~o is a 
congruence relation on R. We prove now that the statement of the lemma is true for ~o- 
Let A,B E Mat„(i?) and J = /(I). Let ^ i,j ^ n and Sij, Pij G Mat„(i?) be permutation 
matrices such that 

{SijAPij)u = and {SijBPij)u = by. 

Note that the matrices Sij and Pij exists in Mat„(-R) by the previous remark. Therefore 
JSijAPijJ = f{aij) and JSijBPijJ = fikj). 

If A B then JSijAPijJ ~ JSijBPijJ and therefore aij ~o 

Clearly 

^ = E S^'fia.j)Pij' and 5 = 5^ Sr,' f(b,,)P^' 

and since f{aij) ~ f{bij), A B. □ 

As an immediate consequence of this lemma, we have the following theorem which pro- 
vides arbitrarily large, finite, simple semirings. 

Theorem 5.5 Let R be an additively commutative semiring with 1 and and let G N. 
Then R is simple if and only if Ma.tn{R) is simple. 

With the help of this Theorem we can readily build large finite simple semirings with 
0,1 which are not rings and not embeddable into fields. The following provides several 
explicit examples of some small finite simple semirings with 0,1 which are not rings and not 
embeddable into fields. 

Example 5.6 Consider the set 5* = {0, 1} with the operations max and min for addition 
and multiplication respectively. One readily verifies that 5* has the structure of a finite 
simple semiring. Note that several polynomial time problems over Z, such as polynomial 
factorization, have been found to be NP-hard when considered over this semiring S [Ti] . 

The following example was found by computer search. 

Example 5.7 Consider the set Sq^i = {0,1,2,3,4,5} satisfying the following addition and 
multiplication rules. 
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S'e,! is a finite simple semiring with 6 elements. This is up to isomorphism the only simple 
semiring of order 6. This result follows from [23 [57j . 

Example 5.8 Using the classification of J. Zumbragel derived in |37] it is possible to derive 
for many orders addition and multiplication tables. We are grateful to J. Zumbragel for 
providing us with the following recently found simple semiring having order 20. Details on 
how to construct the addition and multiplication table can be found in [37]. Again one can 
show that this is up to isomorphism the only simple semiring of order 20. 
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In order that the two-sided semigroup action described in the beginning of this section 
is difficult we would like that the sets C[Mi] and C[M2] are large with regard to the matrix 
size n. The orders of the matrices Mi and M2 chosen to act on the matrix A on the left and 
on the right are of prime importance. Indeed the cardinality of the commutative semiring 
C[M] directly depends on the order of M. We study the "sizes" of the orbit of powers of 
elements in Mat„(5') where S = {{0, 1}, max, min}. We will see that these orders give lower 
bounds for the maximum orders of elements in any semiring with and 1. Note that since 
the semiring Mat„(5') is finite any sequence {M^}kQ^ will eventually repeat, i.e., create a 
collision of the form = with k 7^ k' . Computer experiments also showed that in 
general the set C[M] is much larger than the set = . 

Definition 5.9 Let a = {ak}km be a sequence in a finite set such that a„ = am =^ CLn+i = 
am+i- The order ord(a) of a is the least positive integer m for which there exists k < m 
with ak = am- The preperiod Pr{a) of a is the largest non-negative integer m such that for 
all k > m we have ak ^ am- The period per (a) of a is the least positive integer m for which 
there exists an integer with am+k = Ofc for all k > N. If g is an element of a semigroup, 
then we set OTd{g) = oid{{g'^}nm), pei{g) = peT{{g'^}nm) and Prig) = Pr({fi'"}n6N)- 

Clearly ord(a) = per(a) +Pr{a)- Returning to the situation of the multiplicative semi- 
group of Mat„(S'), we study the question "How large can the order of M G Mat„(S') be?". 
There already exist some results in this direction. To describe them, we recall that for a 
given oriented graph G, a strongly connected component (written SCC) of G is a sub-graph 
H of G inside which any two vertices i and j belong to a common oriented cycle and if is a 
maximal sub-graph with this property. Such a SCC is written H Qscc G. The period of a 
strongly connected component is the maximum between the gcd of the length of its cycles 
and 1. We refer the reader to |2lj for the details. 

Proposition 5.10 Let M G Mat„(S') and G be the directed graph whose adjacency matrix 
is M. Then 

1. per(M) = \cm.{period of H \ H is a SCC of G}, 

2. The numbers peT{M),pr{M) and ord(M) can be computed in 0{n^) time. 

This proposition is essentially in fL2\. The algorithm given there computes per(M) in 
0{n'^) time and an easy modification of it allows to computes Pr{M) and therefore ord(M). 
We introduce now a function that play a crucial role: Landau's function g. It is defined 



by 



max{ord((T) | a G S„} 
max{lcm {ai, 0^} | cij > 0, ai -|- ... -|- a 



"m 



n}- 



It was ffist studied by Landau [181 1903 who proved that 



ln{g{n)) ~ a/ti ln(n) 



as n 



00. 



(6) 



In 1984, Massias [22] showed that for sufficiently large n. 



■\/n ln(?T,) ^ lia{g{n)) ^ -^Z n lia{n) I 1 -|- 



In ln(n) 



21n(n) 



) 



(7) 
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the second inequality in [7] being true for all n. Clearly, the function g is increasing. In any 
case, we have 



maxjlcm {oi, .., a^} : |ai| + ... + la^l = n] = exp ^(1 + o{l))^/n Inn 
On the other hand, the period of any SCC H G G is less or equal to and 



\H\ C n. 



Since the function g is increasing. Proposition 15.101 and Equation ([6]) give 

per(M) ^ ^ I ^ 1^1 ) ^ g{n) = exp ({1 + o{l))n^/^ In^/^ . 
\HCsccG J 

Further, it is not difficult to see that there always exists an oriented graph G with period 
g{n). Indeed if g{n) is reached by a partition ai + ... + am = n, then a graph G built out of 
cyclic SCCs of order satisfies per(M) = g{n). Such a matrix M G Mat„(5') that reaches 
this bound is in fact a permutation matrix, and as such, it can be seen as an element of any 
semirings with and 1. In other words, in any such semiring, the previous bound is reached: 

Proposition 5.11 Let n E N and R be a semiring with and 1. Then 

max{per(M) | M e Matn(i?)} > g{n) = exp (^{1 + o{l))n^^'^ In^^^ nj . 

If R = S = {{0, l},max, min}, then the above inequality is an equality. 

The exact computation of g{n), or more precisely, of the partition ai + ... + a^, = n that 
yields the maximum g{n), is necessary in order to build explicitly a matrix M G Mat„(S') 
such that per(M) = g{n). Indeed, the integer g{n) is always a product of primes less or equal 
to 2.86A/n ln(n), c.f. [23]. Therefore the factorization of g{n) can be found in polynomial 
time in n. It is also known that the partition of n that gives the maximum 1cm has parts 
that are all prime powers, c.f. [T3], and therefore the factorization of g{n) gives the expected 
partition directly. The algorithm given in ^30j allows one to compute g{n) for large integers 
ra, up to n = 32, 000, so the exact determination of the matrix M is not a problem. See 
Table 5.1 for a list of values of g{n) with the associated partition. 

For a given matrix M G Mat„(S'), since S[M] D {M^}k&^, we have 

\S[M]\ ^ ord(M) ^ per(M), 

and the last inequality can give |5'[M]| ^ g{n) for a wisely chosen M. 

The following corollary shows that the size of the sets C[M] grows exponentially in n for 
suitable matrices M as soon as the center C contains the elements 0, 1 of a semiring. Such 
matrices can even be constructed in an efficient way. 

Corollary 5.12 Let G N and R be a semiring with and 1 and center C . Then there 
is an n X n matrix M with entries in R such that the order of M is larger than g{n) in 
particular the size of C[M] is larger than g{n) as well. 
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Table 1: Some values of Landau's function g 



n 


9{n) 


Associated partition 


256 


4243057729190280 


8, 9, 5, 7, 11, 13, 17, 19, 23, 
29, 31, 41, 43 


512 


70373028815644182 \ 
5899620 


1, 1, 1, 4, 9, 5, 7, 11, 13, 17, 
19, 23, 29, 31, 37, 41, 43, 47, 
53, 59, 61 


1024 


855674708268439827 \ 
7434193536488991600 


1, 1, 1, 16, 27, 25, 7, 11, 13, 
17, 19, 23, 29, 31, 37, 41, 43, 
47, 53, 59, 61, 67, 71, 73, 79, 
83, 89 



We conclude the Section with an example to illustrate how finite simple semirings could 
be used to build a practical semigroup action problem. 

Example 5.13 Consider the semiring R = 5*6,1 as defined above. The elements {0,1} 
form the center C of R. We will consider the matrix ring Mat„(-R) with n = 20. In this 
situation the key size is 400 ■ lg6 = 1033 bits and the value of Laudau's g function is 
g{20) = 1 ■ 4 • 3 • 5 ■ 7 = 420. By the last corollary Mat„(-R) contains elements M whose 
multiplicative order ord(M) is at least 420. For such an element M the abelian semigroup 
C[M] contains all elements of the form Yli=o ^i^^ with r, G {0, 1}. The size of the set C[M] 
is upper bounded by 2^^^, where k = ord(M). 

The matrices Mi and M2 below are chosen to be close to permutation matrices such 
that the orders are actually more than 420. The matrix S is also chosen sparse as computer 
experiments with the particular ring 5*6,1 showed that this leads to maximal possible size of 
the possible matrices 

C[Mi] ■S-C[M2]. 

Upon using these parameters in Protocol 15. H Alice chooses polynomials p,q & C[t] and 
computes 

A := p{Mi) ■ S ■ qiM2) 

p,q E C[t] were chosen as private keys by Alice in Protocol 15. 1[ 

It is clear that she has more than 2^^° choices to choose a polynomial p ^ C[t] and for such 
a polynomial p{Mi) can be computed with at most 420 matrix multiplication and addition. 
- Of course Alice can restrict herself to polynomials of smaller degree, say e.g. < 50 which 
leaves still 2^° choices for p and for q and which reduces the number of matrix multiplications 
and additions to 100, a task quite easy for an average PC. 

Assume Alice has chosen the matrices in the following particular way: 
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Ml 



100000000000000000001 

00100000000100000000 

00010000000000000000 

00001000000000000000 

01000000000000000000 

00000010000000000000 

00000002000000000010 

00000100000000000000 

00000000010000000000 

00000000001000000000 

00000000000200000000 

00000000000010000000 

00000000100000000000 

00000000000000100000 

00000000000000010000 

00000000000000001000 

00010000000000000100 

00000000000000000010 

00000000000000000001 

.00000000000001000000. 

"01000000000000000000- 
00100000000100000000 
10000000000000000000 
00010100000000000000 
00000001000000001000 
00000010000000000000 
00000100000000000000 
01000001000000010000 
00000000010000010200 
00000000001000000000 
00000000000100000000 
00000000100000000000 
00010000000010000000 
00000000000051000000 
00100000000000100001 
00010000000000010000 
00000000020000000001 
00200000000010000010 
00001000000000000100 
00010000000000001000 



Mo 



A-- 



00000000000000000010" 

00000000000100000000 

00000010000000000000 

00100000001000000000 

00000000000000000004 

00000000000000010000 

02000000000000000000 

00000000000000000100 

00010000100000000000 

00000000000310000000 

00000000000000200000 

00010000000000000100 

00000000001000000000 

00000100000000000000 

00000000010000000000 

00000001000000000000 

10000000000000000000 

00001000000000000000 

00000020000000001000 

00000000000001000000. 

■01222024022224240200- 
12112111111114211214 
12112111111114211214 
12112111111114211214 
12112111111114211214 
12211121022251211111 
12111112022151121111 
12111112022214111111 
02222424221120200200 
02222424222120220200 
02222020222220220200 
02212424011114210200 
02222424211124210200 
12111111111151111111 
12111111121151111111 
12111111111114111111 
12111111111151211111 
12111114022151141111 
12111111121251111111 
12111111022151111111 



The only way we know for an attacker to break this system would be to find polynomials 
p and q such that p{Mi)Sq{M2) = A (or, to solve a similar problem in terms of the matrix B 
Bob computes). If the degrees of p, q are in the range of 50 a brute force search will depend 
on the size of the set: 

S := {p(Mi) ■ S ■ q{M2) \ degp < 50,degg < 50}. 

An immediate upper bound for the size of the set S is 2^°°. We did run extensive compu- 
tations and could show that S has size at least 2^^, not sufficient to be used as a practical 
system. It will require further research to estimate better the size of S and to understand 
how the sizes grow as we increase both the matrices involved and the simple semirings. E.g. 
one could run the protocol with the semiring of Example 15.81 and leave the size of the matrices 
the same. 

In order to describe the efficiency of the system assume that Alice and Bob agree on 
matrices of size n, polynomials p, q of degree at most k and a simple semiring R of cardinality 
\R\ = 6. Then the public key and the data to be transmitted has 0(n^lg6') bits. The 
number of required bit operations during encryption is Oikn^ilgO)) and the computation of 
the common secret key requires 0{'n?{\g9)) bit operations. If 9 denotes the cardinality of 
the center C of R then an upper bound for the size of the set S is 6'^''. 

These complexity estimates suggest that the system should be further analysed in par- 
ticular when the sizes of the matrices are small and the sizes of the ring R is large. 



17 



6 Conclusion 



An abelian group can be viewed in a natural way as Z-module. In this paper we consider the 
situation when an arbitrary semigroup (instead of just the integers) act on an arbitrary finite 
set. The generahzation of the discrete logarithm problem results in the semigroup action 
problem which we study in this paper. In the situation when the semigroup is abelian one 
has a natural Diffie-Hellman secret key exchange and a sufficient condition to break the key 
exchange is to solve the semigroup action problem. 

In the later part of the paper wc concentrate on a particular semigroup action. We 
consider the situation where a simple semiring acts on a semimodule. This generalizes the 
group situation where G is a cyclic group of prime order p, i.e. where the simple ring Z/pZ 
is acting on G via exponentiation. 

Simplicity of the involved semirings is important in order to avoid Pohlig-Hellman type 
attacks. Using a recently found simple semiring of order 6 we illustrate the techniques in an 
example. It will require further research to assess the security of such systems. 
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